GM Credential Stuffing Attack Exposed Car Owners’ personal Info
US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers’ information and allowed hackers to redeem rewards points for gift cards.
General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points.
Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.
Targeted in credential stuffing attack
GM disclosed that they detected the malicious login activity between April 11th and April 29th, 2022, and confirmed that the hackers redeemed customer reward points for gift cards in some cases.
“We are writing to follow up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization,” explains a data breach notification sent to affected customers.
GM states they will be restoring rewards points for all customers affected by this breach.
However, these breaches are not a result of a General Motors being hacked but rather are caused by a wave of credential stuffing attacks targeting customers on their platform.
Credential Stuffing attacks are when threat actors use collections of username/password combinations leaked in other sites’ data breaches to gain access to user accounts on a website.
“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” explains a different data breach notification from GM
“We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”
GM requires affected users to reset their passwords before logging in to their accounts again.
Personal information exposed
When the hackers successfully breached a GM account, they could access certain information stored on the site. This information includes the following personal details:
- First and last name,
- personal email address,
- personal address,
- username and phone number for registered family members tied to the account,
- last known and saved favorite location information,
- currently subscribed OnStar package (if applicable),
- family members’ avatars and photos (if uploaded),
- profile picture,
- search and destination information.
Other information available to hackers when they breach GM accounts is car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and more.
However, the GM accounts do not hold date of birth, Social Security number, driver’s license number, credit card information, or bank account information, so that information hasn’t been compromised.
Apart from resetting passwords, General Motors also advises impacted individuals to request credit reports from their banks and place a security freeze if the case calls for it. Instructions on how to do either are enclosed in the notice.
Unfortunately, GM’s online site does not support two-factor authentication, which would prevent credential stuffing attacks from succeeding. However, it is possible to add a PIN that customers must use for all purchases.
As for the number of affected customers, GM has only submitted a notification sample to the Attorney General’s Office of California, so we only know the number of impacted clients in that state, which is just below 5,000.
Bleeping Computer has contacted General Motors for more information on that front, and we will update this post as soon as we receive a response.